Apr 18, 2010
Dealing with a trojan virus on dreamhost
I host a lot of simple sites on Dreamhost. Imagine my surprise when I went to log into my control panel and was informed that google had listed one of my sites as being a suspected malware site.
The site that it referenced was a very rarely used site, that only housed a custom built app (more of a script than an actual app) so I was puzzled as to how this site could have become infected.
I logged into the host, and did a quick check of the directory structure, and immediately noticed some suspicious things.
-rw-r--r-- 1 rgardner pg1704804 18716 2010-04-17 13:07 rargq.php
drwxr-xr-x 13 rgardner pg1704804 4096 2010-04-17 13:07 .
drwxr-xr-x 2 rgardner pg1704804 36864 2010-04-17 23:30 .files
I had never placed these here, so it was obvious that these were the culprits. I quickly chmod’d the file so I could investigate it further, and then looked at the contents of the .files diectory. This directory contained 692 static html files, all with the same general format/content:
-rw-r--r-- 1 rgardner pg1704804 10874 2010-04-17 23:17 kelly pavlik boxrec.html
-rw-r--r-- 1 rgardner pg1704804 11016 2010-04-17 23:17 mayhem miller twitter.html
-rw-r--r-- 1 rgardner pg1704804 9987 2010-04-17 23:17 the good shepherd cast.html
-rw-r--r-- 1 rgardner pg1704804 10456 2010-04-17 23:18 edison miranda.html
-rw-r--r-- 1 rgardner pg1704804 11071 2010-04-17 23:18 mayhem miller vs gsp.html
-rw-r--r-- 1 rgardner pg1704804 11297 2010-04-17 23:19 the good shepherd quotes.html
-rw-r--r-- 1 rgardner pg1704804 11949 2010-04-17 23:19 mayhem miller next fight.html
-rw-r--r-- 1 rgardner pg1704804 10394 2010-04-17 23:19 the good shepherd trailer.html
-rw-r--r-- 1 rgardner pg1704804 11427 2010-04-17 23:21 mayhem miller ninja warrior.html
-rw-r--r-- 1 rgardner pg1704804 10769 2010-04-17 23:21 kelly pavlik record.html
-rw-r--r-- 1 rgardner pg1704804 6261 2010-04-17 23:30 mayhem miller wiki.html
To identify where these were coming from, i looked at the apache access log for the time right around 2010-04-17 13:07 (the rarqp.php timestamp.)
I found the following lines from logs/access.log to be of interest:
69.89.31.119 - - [17/Apr/2010:13:07:49 -0700] "POST /images/moselle_sorcha.php HTTP/1.1" 200 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
69.89.31.119 - - [17/Apr/2010:13:07:49 -0700] "GET /rargq.php?m=test HTTP/1.1" 200 10259 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
Somebody had managed to place a PHP script in my images directory, and then posted to that script, which then kicked off thousands upon thousands of requests like the following:
67.195.112.60 - - [17/Apr/2010:13:16:12 -0700] "GET /robots.txt HTTP/1.0" 200 305 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:16:12 -0700] "GET /rargq.php?m=prom%20hairstyles%202010%20down%20dos HTTP/1.0" 200 5472 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:02 -0700] "GET /rargq.php?m=norfolk%20island%20pine%20poisonous%20to%20cats HTTP/1.0" 200 3954 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:08 -0700] "GET /rargq.php?m=lawrence%20wilson%20md HTTP/1.0" 200 4491 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:17 -0700] "GET /rargq.php?m=salt%20lake%20city%20marathon%20reviews HTTP/1.0" 200 4661 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:25 -0700] "GET /rargq.php?m=toyota.ca HTTP/1.0" 200 4470 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:37 -0700] "GET /rargq.php?m=sweetwater%20420%20fest HTTP/1.0" 200 4029 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.60 - - [17/Apr/2010:13:17:42 -0700] "GET /rargq.php?m=tx%20lottery%20live HTTP/1.0" 200 3809 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
I found the file and saw that it had been placed on the server several months ago:
-rw-r--r-- 1 rgardner pg1704804 28116 2009-11-26 13:09 moselle_sorcha.php
Around this time, a client that I was hosting a blog for was notified that the blog software she was using was outdated and had a known vulnerability. Apparently, I was now a victim of her vulnerable software.
Interested to see if there were other scripts, I ran the following:
> find -type f -wholename "*/images/*.php" | wc -l
30
This meant that there were 30 of these files that had been placed on my server. I removed the files with another command:
> find -type f -wholename "*/images/*.php" -mtime -150 -exec rm {} \;
I added the mtime switch to exclude some known php scripts that I wanted to exclude
Morals of the story
- People are jerks
- Potentially vulnerable software should be quarantined to reduce the impact of situations like this
- Access logs should be routinely analyzed to watch for things like this